teslacrypt | a9bcbc903b6a4fe98280f6de765c3362bdddc2fd49ce3312287c0a9ccdb4a526

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_820330e49a0f1aa4aca6fed989d07083.exe
Size

352KB
MD5

820330e49a0f1aa4aca6fed989d07083
SHA1

a9a90a57252ae0ce4adf0a6d1b2a7de0cc4775d1
SHA256

a9bcbc903b6a4fe98280f6de765c3362bdddc2fd49ce3312287c0a9ccdb4a526
SHA512

425229479c423bcd16502954d851cbad8199fa2ac4fe1e8b2a029470e589bfbff41aab6ae9bea2216f4cb3c3fa69f1cc54c8f1747cf44d1d82551c875640930c
SSDEEP

6144:pMeb/EDtpBx1aRXJub19pf3gOURaJmf+ubexB3wLaYZSzvF:pTb/wtN1aRXJg1f3gO9Jm+u2BgeYkzv

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+rumwy.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/264591A4AF7D8D95 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/264591A4AF7D8D95 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/264591A4AF7D8D95 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/264591A4AF7D8D95 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/264591A4AF7D8D95 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/264591A4AF7D8D95 http://yyre45dbvn2nhbefbmh.begumvelic.at/264591A4AF7D8D95 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/264591A4AF7D8D95

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/264591A4AF7D8D95

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/264591A4AF7D8D95

http://yyre45dbvn2nhbefbmh.begumvelic.at/264591A4AF7D8D95

http://xlowfznrg4wf7dli.ONION/264591A4AF7D8D95

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (881) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VirusShare_820330e49a0f1aa4aca6fed989d07083.execsouqdkhyolp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	VirusShare_820330e49a0f1aa4aca6fed989d07083.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	csouqdkhyolp.exe

Drops startup file 6 IoCs

Processes:

csouqdkhyolp.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+rumwy.png	csouqdkhyolp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+rumwy.txt	csouqdkhyolp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+rumwy.html	csouqdkhyolp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+rumwy.png	csouqdkhyolp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+rumwy.txt	csouqdkhyolp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+rumwy.html	csouqdkhyolp.exe

Executes dropped EXE 1 IoCs

Processes:

csouqdkhyolp.exe

pid process

4524 csouqdkhyolp.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

csouqdkhyolp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pnxpgqu = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\csouqdkhyolp.exe"	csouqdkhyolp.exe

Drops file in Program Files directory 64 IoCs

Processes:

csouqdkhyolp.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\logo.scale-200_contrast-white.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\TinyTile.scale-200_contrast-black.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-336.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\_ReCoVeRy_+rumwy.html	csouqdkhyolp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-80.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\_ReCoVeRy_+rumwy.html	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-125_contrast-black.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\MixedRealityPortalSplashScreen.scale-100.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+rumwy.txt	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-300.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-30.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-black_scale-100.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchSmallTile.contrast-black_scale-125.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\_ReCoVeRy_+rumwy.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SmallTile.scale-100.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-64_altform-lightunplated.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\Fonts\_ReCoVeRy_+rumwy.html	csouqdkhyolp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\_ReCoVeRy_+rumwy.html	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-125_contrast-black.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-256_altform-unplated.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-200_contrast-white.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\_ReCoVeRy_+rumwy.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-125_contrast-black.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+rumwy.html	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+rumwy.txt	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_ReCoVeRy_+rumwy.txt	csouqdkhyolp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\_ReCoVeRy_+rumwy.html	csouqdkhyolp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-100_contrast-black.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-200.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-80.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\_ReCoVeRy_+rumwy.html	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-200_contrast-white.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\_ReCoVeRy_+rumwy.html	csouqdkhyolp.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\_ReCoVeRy_+rumwy.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\SystemX86\_ReCoVeRy_+rumwy.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_ReCoVeRy_+rumwy.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.scale-200.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+rumwy.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+rumwy.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-400_contrast-black.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-30.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+rumwy.html	csouqdkhyolp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\THMBNAIL.PNG	csouqdkhyolp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_ReCoVeRy_+rumwy.txt	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-96_contrast-black.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionMedTile.scale-200.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+rumwy.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\_ReCoVeRy_+rumwy.html	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_altform-unplated_contrast-white.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\_ReCoVeRy_+rumwy.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-40_altform-unplated_contrast-white.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TinyTile.scale-100_contrast-white.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ml-IN\_ReCoVeRy_+rumwy.html	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\1.jpg	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\_ReCoVeRy_+rumwy.html	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\_ReCoVeRy_+rumwy.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView-Dark.scale-200.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt	csouqdkhyolp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\_ReCoVeRy_+rumwy.html	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Views\Utilities\Styling\css\_ReCoVeRy_+rumwy.html	csouqdkhyolp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_contrast-white.png	csouqdkhyolp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\_ReCoVeRy_+rumwy.txt	csouqdkhyolp.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_820330e49a0f1aa4aca6fed989d07083.exe

description	ioc	process
File created	C:\Windows\csouqdkhyolp.exe	VirusShare_820330e49a0f1aa4aca6fed989d07083.exe
File opened for modification	C:\Windows\csouqdkhyolp.exe	VirusShare_820330e49a0f1aa4aca6fed989d07083.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

csouqdkhyolp.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings csouqdkhyolp.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1808 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	csouqdkhyolp.exe

pid	process
1808	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

csouqdkhyolp.exe

pid	process
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe
4524	csouqdkhyolp.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

5016 msedge.exe
5016 msedge.exe
5016 msedge.exe
5016 msedge.exe
5016 msedge.exe
5016 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

VirusShare_820330e49a0f1aa4aca6fed989d07083.execsouqdkhyolp.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2164	VirusShare_820330e49a0f1aa4aca6fed989d07083.exe
Token: SeDebugPrivilege	4524	csouqdkhyolp.exe
Token: SeIncreaseQuotaPrivilege	4116	WMIC.exe
Token: SeSecurityPrivilege	4116	WMIC.exe
Token: SeTakeOwnershipPrivilege	4116	WMIC.exe
Token: SeLoadDriverPrivilege	4116	WMIC.exe
Token: SeSystemProfilePrivilege	4116	WMIC.exe
Token: SeSystemtimePrivilege	4116	WMIC.exe
Token: SeProfSingleProcessPrivilege	4116	WMIC.exe
Token: SeIncBasePriorityPrivilege	4116	WMIC.exe
Token: SeCreatePagefilePrivilege	4116	WMIC.exe
Token: SeBackupPrivilege	4116	WMIC.exe
Token: SeRestorePrivilege	4116	WMIC.exe
Token: SeShutdownPrivilege	4116	WMIC.exe
Token: SeDebugPrivilege	4116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4116	WMIC.exe
Token: SeRemoteShutdownPrivilege	4116	WMIC.exe
Token: SeUndockPrivilege	4116	WMIC.exe
Token: SeManageVolumePrivilege	4116	WMIC.exe
Token: 33	4116	WMIC.exe
Token: 34	4116	WMIC.exe
Token: 35	4116	WMIC.exe
Token: 36	4116	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4116	WMIC.exe
Token: SeSecurityPrivilege	4116	WMIC.exe
Token: SeTakeOwnershipPrivilege	4116	WMIC.exe
Token: SeLoadDriverPrivilege	4116	WMIC.exe
Token: SeSystemProfilePrivilege	4116	WMIC.exe
Token: SeSystemtimePrivilege	4116	WMIC.exe
Token: SeProfSingleProcessPrivilege	4116	WMIC.exe
Token: SeIncBasePriorityPrivilege	4116	WMIC.exe
Token: SeCreatePagefilePrivilege	4116	WMIC.exe
Token: SeBackupPrivilege	4116	WMIC.exe
Token: SeRestorePrivilege	4116	WMIC.exe
Token: SeShutdownPrivilege	4116	WMIC.exe
Token: SeDebugPrivilege	4116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4116	WMIC.exe
Token: SeRemoteShutdownPrivilege	4116	WMIC.exe
Token: SeUndockPrivilege	4116	WMIC.exe
Token: SeManageVolumePrivilege	4116	WMIC.exe
Token: 33	4116	WMIC.exe
Token: 34	4116	WMIC.exe
Token: 35	4116	WMIC.exe
Token: 36	4116	WMIC.exe
Token: SeBackupPrivilege	4944	vssvc.exe
Token: SeRestorePrivilege	4944	vssvc.exe
Token: SeAuditPrivilege	4944	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2604	WMIC.exe
Token: SeSecurityPrivilege	2604	WMIC.exe
Token: SeTakeOwnershipPrivilege	2604	WMIC.exe
Token: SeLoadDriverPrivilege	2604	WMIC.exe
Token: SeSystemProfilePrivilege	2604	WMIC.exe
Token: SeSystemtimePrivilege	2604	WMIC.exe
Token: SeProfSingleProcessPrivilege	2604	WMIC.exe
Token: SeIncBasePriorityPrivilege	2604	WMIC.exe
Token: SeCreatePagefilePrivilege	2604	WMIC.exe
Token: SeBackupPrivilege	2604	WMIC.exe
Token: SeRestorePrivilege	2604	WMIC.exe
Token: SeShutdownPrivilege	2604	WMIC.exe
Token: SeDebugPrivilege	2604	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2604	WMIC.exe
Token: SeRemoteShutdownPrivilege	2604	WMIC.exe
Token: SeUndockPrivilege	2604	WMIC.exe
Token: SeManageVolumePrivilege	2604	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VirusShare_820330e49a0f1aa4aca6fed989d07083.execsouqdkhyolp.exemsedge.exe

description	pid	process	target process
PID 2164 wrote to memory of 4524	2164	VirusShare_820330e49a0f1aa4aca6fed989d07083.exe	csouqdkhyolp.exe
PID 2164 wrote to memory of 4524	2164	VirusShare_820330e49a0f1aa4aca6fed989d07083.exe	csouqdkhyolp.exe
PID 2164 wrote to memory of 4524	2164	VirusShare_820330e49a0f1aa4aca6fed989d07083.exe	csouqdkhyolp.exe
PID 2164 wrote to memory of 2440	2164	VirusShare_820330e49a0f1aa4aca6fed989d07083.exe	cmd.exe
PID 2164 wrote to memory of 2440	2164	VirusShare_820330e49a0f1aa4aca6fed989d07083.exe	cmd.exe
PID 2164 wrote to memory of 2440	2164	VirusShare_820330e49a0f1aa4aca6fed989d07083.exe	cmd.exe
PID 4524 wrote to memory of 4116	4524	csouqdkhyolp.exe	WMIC.exe
PID 4524 wrote to memory of 4116	4524	csouqdkhyolp.exe	WMIC.exe
PID 4524 wrote to memory of 1808	4524	csouqdkhyolp.exe	NOTEPAD.EXE
PID 4524 wrote to memory of 1808	4524	csouqdkhyolp.exe	NOTEPAD.EXE
PID 4524 wrote to memory of 1808	4524	csouqdkhyolp.exe	NOTEPAD.EXE
PID 4524 wrote to memory of 5016	4524	csouqdkhyolp.exe	msedge.exe
PID 4524 wrote to memory of 5016	4524	csouqdkhyolp.exe	msedge.exe
PID 5016 wrote to memory of 2240	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 2240	5016	msedge.exe	msedge.exe
PID 4524 wrote to memory of 2604	4524	csouqdkhyolp.exe	WMIC.exe
PID 4524 wrote to memory of 2604	4524	csouqdkhyolp.exe	WMIC.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3248	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 620	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 620	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3800	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3800	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3800	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3800	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 3800	5016	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

csouqdkhyolp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csouqdkhyolp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	csouqdkhyolp.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_820330e49a0f1aa4aca6fed989d07083.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_820330e49a0f1aa4aca6fed989d07083.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\csouqdkhyolp.exe
  C:\Windows\csouqdkhyolp.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4524
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4116
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:5016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8d6546f8,0x7ffd8d654708,0x7ffd8d654718
      4⤵
      PID:2240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,1412419004812039684,17216821692689072348,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
      4⤵
      PID:3248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,1412419004812039684,17216821692689072348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
      4⤵
      PID:620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,1412419004812039684,17216821692689072348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
      4⤵
      PID:3800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1412419004812039684,17216821692689072348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
      4⤵
      PID:4912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1412419004812039684,17216821692689072348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
      4⤵
      PID:1288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,1412419004812039684,17216821692689072348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
      4⤵
      PID:1644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,1412419004812039684,17216821692689072348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
      4⤵
      PID:1564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1412419004812039684,17216821692689072348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
      4⤵
      PID:1500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1412419004812039684,17216821692689072348,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
      4⤵
      PID:684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1412419004812039684,17216821692689072348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
      4⤵
      PID:1580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1412419004812039684,17216821692689072348,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
      4⤵
      PID:1900
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\CSOUQD~1.EXE
    3⤵
    PID:1252
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
  2⤵
  PID:2440

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+rumwy.html

Filesize
12KB

MD5
ba632b239d0593c69bcd44b4d28d0750

SHA1
4974159e7ade78907d37a0a82bc1b4784af7102c

SHA256
a9aa23b607e5519307b8b8d80f835e6d4259c31a7d9d74efd7e543f87673798e

SHA512
4b683ad64156cad65b93e8fdfea011ce68c4efb7db27399a85f79dfe8bc636ba113e9dd83d9f37261cfd994a9d2e086daa9180265e9673b2530336f6a0adc547

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+rumwy.png

Filesize
65KB

MD5
aa0d0174ab5777348bcde8853218e3b5

SHA1
93490c5e27a131a857590abf5addccd1a3259d69

SHA256
960d92a04a9b502de09897eb3157f0285b65b44db69df0094398941b85576a78

SHA512
204238b84ba377447d1b7a13da1f816ffad78e5c2870a12a2d432f48c3c442347aef07082c10505507997918ee2374dfa1d2e48df9d0201bd08effe1aa6992d4

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+rumwy.txt

Filesize
1KB

MD5
60a348e5693a47b45fa76ab4502d1498

SHA1
859f0b219428f87b36c2f3798302a150cd591a7c

SHA256
f60702f2154bb0bc9ef6421fee88022a8f7c6b8cf3b282726529569e5d6b76ec

SHA512
746a436ad6be52f59c7a0218cb2244d377802cf73de200e3742c65c98ce1aba3d074c97126279069a2c6ff166deb1c0d72d1b06a2f3fd0b22c31d165ab8eb681

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
e1c1735884effee1554d37ce3ce90ca8

SHA1
3183f1b28cc6bd921ec823b045f5720cd3be246b

SHA256
873172fb0f4ca03af18335bc6ea3b693fc7ae5f15eba9142e31f9b0796e98b57

SHA512
be4dca378415a909a13a2fe12df79842bb277304467950b8b153fa7a1df10b9a1c64a9367ab042549f1683f99931197ebb5a94b947f1beabda251d397314808c

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
9c28dad483e4e2a0971fd2f0de6af171

SHA1
d72ca6fb76da93aecbb14abbbb213f7c7d29577b

SHA256
895c106f5424d23593fc856622d4e7784074f81a635c5dec420f19afb75978c2

SHA512
a3966ad5b40ef9c513df08419e12cb6cafe443fd07a9f3d640004dd0eec529c9348742cc5558d7a37b461b2a8237870faf5b9c7e3560aebc8ddc03e349d3c754

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
218e37fbbe337156aacbea4e19d7bbef

SHA1
f1e532c0bba4ef0870571c18d30c83db2e9e5c63

SHA256
860d037bf1c1c9a6e1056c05b55bf2e34f43c1428574c7e2d3ae1be921623f0f

SHA512
fd612f1a6f2b8c27a68ca2873500f7322631991bd63d7f2043d4319a3b26ed0c993740b127f067d55689c305f92e9e543f7574c409dd6b2f26922ac30c850337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
33f3ec885cff12abb3f7ad7a31d93c09

SHA1
47df0f5b82f7a26a2e47887113f03056abecba28

SHA256
802de75cac04956d536f22741068dc05adac3def9604ba67cf81ca93960329fc

SHA512
a8edda1e6ab551ee5cddc0fbad9d0e5018f008b55631f3fb4fce264088027ef08101288d5cc9f8cc8cee59a4af655655006736d451d4944c93eb513afef723ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
15c028b18ff5c5976966681848a0c8e8

SHA1
1d4f9078f5accb024f143ad5affd1ec734e6c598

SHA256
c8d5cad75995b174fd478786acf0a1f995c4ce86848b0170caadb79b81bee7b6

SHA512
241077b8f44d26219a9aca6f55ef3a674a34f0c286e6e5eddba1f6bbbaf47070ae6de2606ab868c64228cfaf3ae893ea617155c2fb03f54e22eae9194653c61a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
40b044418c74be6fcb8febc8f822ac10

SHA1
eda995b86374ad77c3f206fa39f4127c495b1c37

SHA256
474c7ddb84b8660985365d1abd58ef917799509eacad723c27ed20ef797d464c

SHA512
a05efea027bd846eb19d1e8450ee2249dd6588eb6057a040c17a70652a5b507d6da8844038eb99a9abaa5e64a469212d38092595e8f1d92f03666ca28561a8f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586087795228297.txt

Filesize
47KB

MD5
0cef7ce756fab1eef98cdedae8c0ccee

SHA1
9b99ac4b3f6b420bba05ea730b4333c0bc93a29f

SHA256
ac07193505ec74f01c5be16b4ae5ff2411b28d377f2eee7e3dadd9561a05c5c2

SHA512
d58a5d1add73de969a9c61d396d7f8d043e6869af4407bcd141f18e8f3c715f4d00c8fe209a668458ef15533845452569fe46e3d5d13d68b1ab5c3b368e2f9f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586104364888186.txt

Filesize
75KB

MD5
6e985ea3636564c156d195b4d1c05e40

SHA1
d9fe6b4309a2928397cdf976386a748f31fe07d2

SHA256
dec11919324b6d57fc298661b83b4c28d0bf0282e820476f83fd2a38ce7483bc

SHA512
d36fde42e8aa65f1a2742a0df5558441eb8a739a476eb64e8056a33665bb8285d83126391f63e652f0d262ef93925785b57b1d9d0fbfe6000b5b0be865f98abd

Download Submit
C:\Windows\csouqdkhyolp.exe

Filesize
352KB

MD5
820330e49a0f1aa4aca6fed989d07083

SHA1
a9a90a57252ae0ce4adf0a6d1b2a7de0cc4775d1

SHA256
a9bcbc903b6a4fe98280f6de765c3362bdddc2fd49ce3312287c0a9ccdb4a526

SHA512
425229479c423bcd16502954d851cbad8199fa2ac4fe1e8b2a029470e589bfbff41aab6ae9bea2216f4cb3c3fa69f1cc54c8f1747cf44d1d82551c875640930c

Download Submit
\??\pipe\LOCAL\crashpad_5016_YJUPOIZBYNKKWDKZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2164-0-0x00000000021A0000-0x0000000002226000-memory.dmp

Filesize
536KB

Download
memory/2164-1-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2164-9-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2164-10-0x00000000021A0000-0x0000000002226000-memory.dmp

Filesize
536KB

Download
memory/4524-1097-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4524-4208-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4524-7058-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4524-11-0x0000000002120000-0x00000000021A6000-memory.dmp

Filesize
536KB

Download
memory/4524-10405-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4524-10467-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4524-10181-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4524-4739-0x0000000002120000-0x00000000021A6000-memory.dmp

Filesize
536KB

Download
memory/4524-10500-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download